NVR HNR51P6-16 and NC304-XD Turret Cameras System Reset and Cannot add Cameras

Trinergy · May 6, 2020

Hello,

I recently reset the NVR because we did not have the password. Hikvision says its not theirs or from this region "RR" in the serial code. So the reset worked but now the cameras are still using the old password and are offline. I tried to take apart a camera but they had no reset button. Furthermore, I have turned on virtual host but when I try to access the provided link in the NVR it times out and fails. I even tried using the password hack tool with the port numbers but that did not work either. Any thoughts on what else I can do? I did find two XML files labeled IPCAM on a PC one with the model # of the cameras in back to 2017 and another with a date stamp. I tried to import them but the NVR was looking for an XLS file (really weird) for the cameras. I have attached them here. I could only get the buttons to work in IE 11.

I keep hitting a road block every time I think I get further. Like how does a camera not have a reset button?

Any help would be appreciated.

alastairstevenson · May 6, 2020

Trinergy said:
now the cameras are still using the old password and are offline.

Assuming these are really Hikvision OEM cameras -
Connect the PC to an unused NVR PoE port and use SADP to see the camera firmware version.
If you are lucky, it may be old enough to have the backdoor vulnerability, which can be used to extract the password.

SADP Tool

Locate Hikvision brand cameras within the same network, including their IP address and port.

ipcamtalk.com

Trinergy · May 6, 2020

It say's v5.4.4build 170123 and both reset tools did not work. SADP reports: NC304-XD20170527BBWR768992912 and camera has 768992912. I assumed the latter is the actual serial number which is what I used in the web page tool.

I assume I SOL unless I goofed up the serial #? Since there is no other password reset. Is it possible to send my key to Chinese or Europe support address? since the camera is a WR version? Is there another Worldwide location where I can send the password reset to other than US?

pozzello · May 6, 2020

post a screen shot of the SADP listings and some pictures of one of the cams including any identifying labels or markings...
you may be able to flash firmware onto the cams via TFTP, which would reset them, but need to make sure to use the right firmware.
if you take a packet capture using Wireshark while one of the cam's is booting up, you'll see it ARP'ing for 192.0.0.128 (from 192.0.0.64)
which means it's looking for a TFTP server to grab firmware from...

Trinergy · May 6, 2020

Thanks. Attached the pics. Downloading and installing wireshark now.

pozzello · May 6, 2020

ok, those are definitely hikvsion OEM'd, from Winic. there's a 5.5.5. version available here:

Winic Firmware Download (search for your model nc304-xd)

then get the TFTPd server here: TFTPServ
and follow step 1-5s or so from here: R0 / DS-2CD2x32 BrickfixV2 brick recovery and full upgrade tool - enhanced.
(Ignore the 'brick-fix' aspect, you're just putting the latest firmware for your cams on in a destructive/reset fashion).

good luck!

Trinergy · May 6, 2020

Thanks for a possible solution and the links.

Sent from my SM-G975U using Tapatalk

pozzello · May 6, 2020

come to think of it, you might contact Winic support to see if they can help you with a password reset...
- Winic Technologies USA, Inc.
may depend on who purchased the system and where, but worth a try...

Trinergy · May 7, 2020

Well no dice. TFTP just sat there after a dozen reboots of the camera. Checked wireshark and only thing on 192.0.0.x is my laptop

alastairstevenson · May 7, 2020

A couple of things :

Trinergy said:
It say's v5.4.4build 170123 and both reset tools did not work.

Do all the cameras have the same version, are there any older than that?
If so - they will have the backdoor vulnerability that allows password extraction.

That version of firmware is marginal for having the backdoor vulnerability, especially if it's an OEM model.
Worth trying, easy enough to do :
Connect the PC to an unused NVR PoE port, change the PC IP address to, say, 192.168.254.200 and try this URL in the browser -

http://192.168.254.48/System/configurationFile?auth=YWRtaW46MTEK

See if it yields a configuration file without asking for logon credentials.

On the wireshark capture - could it be that the Windows firewall or a network AV is blocking the camera inbound probes?
Maybe try with the firewall disabled temporarily.

On the Hikvision tftp updater - it's unreliable when the camera is powered with PoE, the timing can be marginal.
Do you have the chance to try it with a 12v external supply?
Also it's best when both camera and PC are wired to a switch or router as opposed to being directly connected, again a timing issue.

Trinergy · May 7, 2020

I had the firewall off and plugged into to a switch with the camera directly on a POE port. I only have a POE injector outside of my switch to power it. Let me see if there are any other power supplys around that can fit and provide 12v.

I will have to try getting someone to plug the PC onto the NVR today as I am remote.

Thanks again.

Sent from my SM-G975U using Tapatalk

alastairstevenson · May 7, 2020

Trinergy said:
I had the firewall off and plugged into to a switch with the camera directly on a POE port.

Sorry, but I don't quite follow.
The camera was connected as normal to an NVR PoE port? If so - how was the PC connected?
Or the camera and PC were both plugged in to a PoE switch?

Trinergy · May 7, 2020

alastairstevenson said:
A couple of things :

Do all the cameras have the same version, are there any older than that?
If so - they will have the backdoor vulnerability that allows password extraction.

That version of firmware is marginal for having the backdoor vulnerability, especially if it's an OEM model.
Worth trying, easy enough to do :
Connect the PC to an unused NVR PoE port, change the PC IP address to, say, 192.168.254.200 and try this URL in the browser -

http://192.168.254.48/System/configurationFile?auth=YWRtaW46MTEK
See if it yields a configuration file without asking for logon credentials.

On the wireshark capture - could it be that the Windows firewall or a network AV is blocking the camera inbound probes?
Maybe try with the firewall disabled temporarily.

On the Hikvision tftp updater - it's unreliable when the camera is powered with PoE, the timing can be marginal.
Do you have the chance to try it with a 12v external supply?
Also it's best when both camera and PC are wired to a switch or router as opposed to being directly connected, again a timing issue.

I am going to have someone plug in a PC into the NVR to check.

I tried the link and it just gave me a login prompt that said "Your Connection is Not Secure".

I had the firewall off as well as my AV (Forticlient).

I tried again with a 12v Netgear switch power supply but the same result no TFTP nor did it search for .128.

alastairstevenson · May 7, 2020

Trinergy said:
I tried the link and it just gave me a login prompt that said "Your Connection is Not Secure".

Just a warning, for this purpose can be ignored.
But that URL can only work if the PC is on the same network as the cameras - on an unused NVR PoE port.

Trinergy said:
I tried again with a 12v Netgear switch power supply but the same result no TFTP nor did it search for .128.

With both the PC and camera wired to the switch?

Trinergy · May 7, 2020

Got it, I was trying to do it with the camera I have now in my possession. I got someone to plug into the NVR now so I will try there.

Trinergy · May 7, 2020

All of the cameras have the same build in the SADPtool. A few have H in front of the model name. I will try the link on every camera.

Trinergy · May 7, 2020

Confirmed none of them seem vulnerable to the backdoor.

Trinergy · May 7, 2020

Also to answer your other question about cam and pc, yes they were both on the same switch.

alastairstevenson · May 7, 2020

Trinergy said:
Confirmed none of them seem vulnerable to the backdoor.

Ah, that's a pity. It looks like they have just crept over the version threshold for the fix.
It would have been a quick fix for the password problem.

And it seems the tftp updater doesn't want to play with the camera is on a 12v power supply, both PC and camera wired to a switch, no firewall on the PC - and wireshark not showing any probes from the camera.

But that is a bit odd as I'd have expected to see an ARP for 192.0.0.128 in preparation for the UDP probe in your wireshark capture in post #9.

Trinergy · May 7, 2020

TFTP updater was on same switch with laptop running on either POE or 12v with no firewall or AV on laptop and Wireshark not showing any probes from the camera. I sorted by ARP requests in Wireshark and nothing except the rest of my devices on the network.

Tell me about it. I was so excited to find this site. I wish I found it before I reset the NVR. Not that mattered. It did not look like there was a way to change the camera passwords without knowing the nvr password. We only had the "pattern" lock password. I guess we got a lot of bricks now.

NVR HNR51P6-16 and NC304-XD Turret Cameras System Reset and Cannot add Cameras

n3wb

Attachments

n3wb

Known around here

n3wb

Attachments

Known around here

n3wb

Known around here

n3wb

n3wb

n3wb

Attachments

n3wb

n3wb

Attachments

n3wb

n3wb

n3wb